08e8d462fe
RED PILL 🔴 💊
86 lines
3.4 KiB
Text
86 lines
3.4 KiB
Text
/*
|
|
Yara Rule Set
|
|
Author: Florian Roth
|
|
Date: 2018-03-03
|
|
Identifier: Operation HoneyBee
|
|
Reference: https://goo.gl/JAHZVL
|
|
*/
|
|
|
|
import "pe"
|
|
|
|
/* Rule Set ----------------------------------------------------------------- */
|
|
|
|
rule HoneyBee_Dropper_MalDoc {
|
|
meta:
|
|
description = "Detects samples from Operation Honeybee"
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://goo.gl/JAHZVL"
|
|
date = "2018-03-03"
|
|
hash1 = "86981680172bbf0865e7693fe5a2bbe9b3ba12b3f1a1536ef67915daab78004c"
|
|
hash2 = "0d4352322160339f87be70c2f3fe096500cfcdc95a8dea975fdfc457bd347c44"
|
|
id = "4e8dec29-2c0a-5760-91c9-88f67505a7f1"
|
|
strings:
|
|
$x1 = "cmd /c expand %TEMP%\\setup.cab -F:* %SystemRoot%\\System32"
|
|
$x2 = "del /f /q %TEMP%\\setup.cab && cliconfg.exe"
|
|
|
|
$s1 = "SELECT * FROM Win32_Processor" fullword ascii
|
|
$s2 = "\"cmd /c `wusa " fullword ascii
|
|
$s3 = "sTempPathP" fullword ascii
|
|
$s4 = "sTempFile" fullword ascii
|
|
$s5 = "GetObjectz" fullword ascii
|
|
$s6 = "\\setup.cab" ascii
|
|
condition:
|
|
uint16(0) == 0xcfd0 and filesize < 400KB and ( 1 of ($x*) or 4 of them )
|
|
}
|
|
|
|
rule OpHoneybee_Malware_1 {
|
|
meta:
|
|
description = "Detects malware from Operation Honeybee"
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://goo.gl/JAHZVL"
|
|
date = "2018-03-03"
|
|
hash1 = "d31fe5cfa884e04ee26f323b8d104dcaa91146f5c7c216212fd3053afaade80f"
|
|
hash2 = "fc2bcd38659ae83fd25b4f7091412ae9ba011612fa4dcc3ef665b2cae2a1d74f"
|
|
hash3 = "2c5e5c86ca4fa172341c6bcbaa50984fb168d650ae9a33f2c6e6dccc1d57b369"
|
|
hash4 = "439c305cd408dbb508e153caab29d17021a7430f1dbaec0c90ac750ba2136f5f"
|
|
id = "5f48434e-efe6-5cd8-85e2-eabf528e6c58"
|
|
strings:
|
|
$x1 = "cmd /c taskkill /im cliconfg.exe /f /t && del /f /q" fullword ascii
|
|
$x2 = "\\FTPCom_vs10\\Release\\Engine.pdb" ascii
|
|
$x3 = "KXU/yP=B29tLzidqNRuf-SbVInw0oCrmWZk6OpFc7A5GTD1QxaJ3H8h4jMeEsYglv" fullword ascii
|
|
$x4 = "D:\\Task\\MiMul\\" ascii
|
|
|
|
$s1 = "[DLL_PROCESS_ATTACH]" fullword ascii
|
|
$s2 = "cmd /c systeminfo >%s" fullword ascii
|
|
$s3 = "post.txt" fullword ascii
|
|
$s4 = "\\temp.ini" ascii
|
|
$s5 = "[GetFTPAccountInfo_10001712]" fullword ascii
|
|
$s6 = "ComSysAppMutex" fullword ascii
|
|
$s7 = "From %s (%02d-%02d %02d-%02d-%02d).txt" fullword ascii
|
|
$s8 = "%s %s %c%s%c" fullword ascii
|
|
$s9 = "TO EVERYONE" fullword ascii
|
|
condition:
|
|
uint16(0) == 0x5a4d and filesize < 200KB and (
|
|
pe.imphash() == "e14b59a79999cc0bc589a4cb5994692a" or
|
|
pe.imphash() == "64400f452e2f60305c341e08f217b02c" or
|
|
1 of ($x*) or
|
|
3 of them
|
|
)
|
|
}
|
|
|
|
rule OpHoneybee_MaoCheng_Dropper {
|
|
meta:
|
|
description = "Detects MaoCheng dropper from Operation Honeybee"
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://goo.gl/JAHZVL"
|
|
date = "2018-03-03"
|
|
hash1 = "35904f482d37f5ce6034d6042bae207418e450f4"
|
|
id = "b163e08e-3892-55f6-ae3e-30d2ba3f4310"
|
|
strings:
|
|
$x1 = "\\MaoCheng\\Release\\" ascii
|
|
condition:
|
|
uint16(0) == 0x5a4d and filesize < 600KB and 1 of them
|
|
}
|